[VulnWatch] shtool insecure temporary file creation

From: ZATAZ.net (exploits_at_zataz.net)
Date: 05/25/05

  • Next message: Team SHATTER: "[VulnWatch] [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability"
    Date: Wed, 25 May 2005 19:44:40 +0200
    To: moderators@osvdb.org, bugs@securitytracker.com, vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    #########################################################

    shtool insecure temporary file creation

    Vendor: http://www.gnu.org/software/shtool/
    Advisory: http://www.zataz.net/adviso/shtool-05252005.txt
    Vendor informed: no more vendor
    Exploit available: yes
    Impact : low
    Exploitation : low

    #########################################################

    shtool contain a security flaw wich could allow a
    malicious local user to create or overwrite content off arbitrary files
    with the right off the user how use shtool.

    The vulnerability is a race condition.

    A lot off products use shtool, for exemple :

    - - ocan-mysql
    - - SellaNMS
    - - ipcmp
    - - OOPSE
    - - OpenLDAP
    - - PHP
    - - OpenPKG
    - - others ....

    ##########
    Versions:
    ##########

    shtool <= 2.0.1

    ##########
    Solution:
    ##########

    As I know only Gentoo has provide an update to shtool.
    Use mktemp, umask and chmod to create secure temporary file

    #########
    Timeline:
    #########

    Discovered : 2005-05-25
    Vendor notified : 2005-05-25
    Vendor response : no more vendor
    Vendor fix : no vendor fix
    Disclosure : 2005-05-25

    #####################
    Technical details :
    #####################

    Vulnerable code :
    - -----------------

    572 # establish a temporary file on request
    573 if [ ".$gen_tmpfile" = .yes ]; then
    574 if [ ".$TMPDIR" != . ]; then
    575 tmpdir="$TMPDIR"
    576 elif [ ".$TEMPDIR" != . ]; then
    577 tmpdir="$TEMPDIR"
    578 else
    579 tmpdir="/tmp"
    580 fi
    581 tmpfile="$tmpdir/.shtool.$$"
    582 rm -f $tmpfile >/dev/null 2>&1
    583 touch $tmpfile
    584 chmod 600 $tmpfile
    585 fi

    597 # cleanup procedure
    598 shtool_exit () {
    599 rc="$1"
    600 if [ ".$gen_tmpfile" = .yes ]; then
    601 rm -f $tmpfile >/dev/null 2>&1 || true
    602 fi
    603 exit $rc
    604 }

    The gen_tmpfile is used for tarball, subst, scpp ant path actions.

    #########
    Related :
    #########

    Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93782

    #####################
    Credits :
    #####################

    Eric Romang (eromang@zataz.net - ZATAZ Audit)
    Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (Darwin)

    iD8DBQFClLmIXXuxWE8lDAcRAjXNAJ4tDchC7D3T7dQ/cY4mZ2hb3VYlIwCdHNAc
    YCtVQmrCHRBu3l5topwCi28=
    =dghw
    -----END PGP SIGNATURE-----


  • Next message: Team SHATTER: "[VulnWatch] [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability"

    Relevant Pages